The European Commission will attempt to bolster the bloc’s cybersecurity rules as part of an upcoming review of the network and information security (NIS) directive, it has been revealed.
The 2016 NIS Directive lays down new standards for cybersecurity resilience across essential services and also introduces requirements for cross-border cooperation and threat intelligence sharing.
As part of an upcoming review of the directive, due to be presented by the EU executive on 15 December, an expansion to the sectoral scope of services to be covered by the rules will be proposed, as well as the possibility of transforming the directive into regulation, as a means to address the problems of fragmentation that has occurred across EU member states.
Commission Vice-Presidents Margrethe Vestager and Margaritis Schinas are set to present the review after having digested the feedback issues as part of public consultations earlier this year.
Expanding the sectoral scope
Speaking at a recent online event, Jakub Boratyński, head of unit for cybersecurity and digital Privacy in the Commission’s DG Connect, revealed that the ‘sectoral scope’ of services to be covered by the cybersecurity rules will be expanded.
“We’ll look to extend the sectoral scope and making sure that the requirements are crystal clear, for those who are unsure about whether they are in the scope or not,” Boratyński said, adding that the Commission had also been alerted to inconsistencies in the application of the directive across EU member states.
In this vein, Boratyński noted how a Commission probe into the identification process for so-called operators of essential services across the EU had found that member states had been applying a variety of approaches leading to gaps in consistency for this designation process.
Such leads to a negative impact on the level playing of the internal market and can result in increased cyber threats across the bloc, said Boratyński, speaking at an event hosted by Centre for European Policy Studies earlier this week.
As a means to bridge this, the Commission reportedly foresees a so-called ‘NIS 2.0’ which would be presented as a regulation rather than a directive, in order to bridge the gaps between member state implementation and ensure greater harmonization across the single market.
Amid the coronavirus pandemic, the importance of bolstering the bloc’s cybersecurity standards has risen rapidly up the EU policy agenda, as remote working has increased exponentially and more people have spent time using connected devices at home.
A recent report by the EU’s cybersecurity agency ENISA stated that the EU’s cybersecurity resilience has been pushed to the limit of its capacities as a result of the ongoing public health crisis.
“While working from home, cybersecurity specialists had to adapt existing defences to a new infrastructure paradigm, attempting to minimise the exposure to a variety of novel attacks where the entry points are employees’ Internet-connected home and other smart devices,” the agency’s Threat Assessment report 2020 states.
“At the same time and under high-pressure, they had to implement solutions based on previously less trusted components, such as remote access through the public Internet, cloud services, unsecured video streaming services, and mobile devices and apps.”
Meanwhile, earlier this year, concerns had emerged over the resilience of the bloc’s critical infrastructures, particularly health bodies, after reports that some hospitals had come under attacks from foreign agents.
Next tech and threat intelligence sharing
More broadly, refinements are also set to be made in light of bolstered 5G security requirements, as a means to ensure coherence with next-generation telecommunications.
In terms of threat intelligence sharing, Boratyński noted the Commission would like to consider the idea of establishing ‘structured incentivised frameworks’ for voluntary information sharing.
“This is something that we’d also like to push for with this instrument because we can see that this plays an extremely important part as a complement to the mandatory reporting of incidents.”
[Edited by Zoran Radosavljevic]